Direct edit of ipsec.conf possible?

[Kofl]

Hi,

we have for one VPN connection many subnets to route and via GUI its hard to add them.

Is it possible to edit directly the ipsec.conf or where is OPNsense storing its own configuration for strongswan?

Thanks

[franco]

The short answer is no...

Which entry are you adding? E.g. manual SPD works via drag+drop

[Kofl]

left and right subnets, quite a lot - would be at the ipsec.conf just two lines.

[Kofl]

We have 10 subnets on left and 12 subnets on right. How to add that via the GUI, when for every SPD the local network and the remote network must be entered?

[mimugmail]

No Aggregation possible?

[Kofl]

The VPN "partner" insists on every single small subnet routing

[mimugmail]

Then you have to add all possible combinations by hand or hide all networks on your side behind one.

[Kofl]

Thanks, not really what we expected.

[Kofl]

Could we maybe work with "Manual SPD entries"?

Strongswan automatically creates SPD policies for the networks defined in this phase2. If you need to allow other networks to use this ipsec tunnel, you can add them here as a comma seperated list.

[mimugmail]

I only used it for hiding networks behind .. no idea if this would also work.
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

[Kofl]

yes, we also used it for that. Maybe @Franco can enlighten us?

[franco]

NAT before IPsec can hide your outgoing networks under a single IP. You still have to list rightsubnets unless they NAT as well and provide services mapped to that IP. ;)


Cheers,
Franco

[Kofl]

Thx, then we have to go the default way.